Getting Data In

How to convert all fields that have "Date" in the name to a standard date format from JSON message data?

nfieglein
Path Finder

Hi,
I have a number of date fields in a JSON message. I would like to be able to use standard date comparison functions on those fields, but I have to convert them to date fields first. Is there a mechanism to convert all fields which have Date in the name?

Thanks

Tags (3)
1 Solution

somesoni2
Revered Legend

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

View solution in original post

nfieglein
Path Finder

The following from somesoni2 works perfectly! Thanks somesoni2!

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2
Revered Legend

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2
Revered Legend

You're looking for a search time option or some automatic option (in props/transforms conf files)?

0 Karma

nfieglein
Path Finder

I would be fine with a search time option, but I would like to be able to add a correspnding epoch time field for every date value that I have, including multivalue fields.

0 Karma
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...